From 58d372fe97decbd4994e8a3dffe092c0f6ad876f Mon Sep 17 00:00:00 2001
From: Lander Van den Bulcke <landervandenbulcke@gmail.com>
Date: Tue, 4 Nov 2025 17:31:50 +0100
Subject: [PATCH] feat: add fail2ban to hyp-01

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
---
 hosts/hyp-01/default.nix          |  1 +
 hosts/hyp-01/modules/fail2ban.nix | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 hosts/hyp-01/modules/fail2ban.nix

diff --git a/hosts/hyp-01/default.nix b/hosts/hyp-01/default.nix
index fb4ed38..9c9d0aa 100644
--- a/hosts/hyp-01/default.nix
+++ b/hosts/hyp-01/default.nix
@@ -17,6 +17,7 @@
 
     ./modules/boot.nix
     ./modules/disko.nix
+    ./modules/fail2ban.nix
     ./modules/impermanence.nix
     ./modules/networking.nix
     ./modules/users.nix
diff --git a/hosts/hyp-01/modules/fail2ban.nix b/hosts/hyp-01/modules/fail2ban.nix
new file mode 100644
index 0000000..0f442be
--- /dev/null
+++ b/hosts/hyp-01/modules/fail2ban.nix
@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+{
+  environment.etc = {
+    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
+      [Definition]
+      failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
+    '';
+  };
+
+  services.fail2ban = {
+    enable = true;
+
+    ignoreIP = [
+      "100.64.0.0/24" # tailnet
+    ];
+
+    maxretry = 3;
+    bantime = "2h";
+
+    extraPackages = [ pkgs.ipset ];
+    banaction = "iptables-ipset-proto6-allports";
+  };
+}